CVE-2021-23814
Summary
| CVE | CVE-2021-23814 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-17 20:15:00 UTC |
| Updated | 2023-12-07 18:15:00 UTC |
| Description | This affects the package unisharp/laravel-filemanager from 0.0.0. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on URL - Remote Code Execution **Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories). |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Unisharp | Laravel-filemanager | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Arbitrary File Upload in unisharp/laravel-filemanager | Snyk | CONFIRM | snyk.io | |
| github.com/UniSharp/laravel-filemanager/issues/1113 | github.com | ||
| N/A | CONFIRM | github.com | |
| laravel-filemanager/UploadController.php at master · UniSharp/laravel-filemanager · GitHub | MITRE | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Huy Nguyen
There are currently no legacy QID mappings associated with this CVE.